<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE SOAP-ENV:Envelope [ <!ELEMENT SOAP-ENV:Envelope ANY> <!ATTLIST SOAP-ENV:Envelope entityReference CDATA #IMPLIED> <!ENTITY x0 "foo"> <!ENTITY x1 "&x0;&x0;" > <!ENTITY x2 "&x1;&x1;" > ... <!ENTITY x98 "&x97;&x97;" > <!ENTITY x99 "&x98;&x98;" > ] > <SOAP:Envelope entityReference="&x99;" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Body> <keyword xmlns="urn:parasoft:ws:store">foo</keyword> </SOAP:Body> </SOAP:Envelope>When a Web service receives such a message, and if the XML parser has DTD processing enabled, then it will cause the server to expand the entity reference x99;. This reference is defined in the DTD section which comes with the message (highlighted in red) to be equal to &x98; repeated twice, which is in turn defined as &x97; repeated twice and so on all the way to x0. In other words:
x0 = "foo" x1 = "foofoo" x2 = "foofoofoofoo" … x99 = "foofoofoofoofoo…foo" or "foo" repeated 299 = 633825300114114700748351602688As the service expands the value of x, the size of the string containing the concatenated words "foo" reaches exponential levels, which causes it to quickly consume the server memory that is allocated to the application. Such exhaustion of the server resources causes a DoS, as other legitimate requests would not be processed while the server is busy concatenating useless "foo" strings.
To protect against such attacks, be sure to either use known commercial or open-source SOAP stacks that disallows DTDs, such as Apache Axis, or that ship as part of application server frameworks, such as .NET, WebLogic, WebSphere, etc. You can also disable DTD parsing in your XML parser. Certainly, adopting standards-based packages is often more secure than implementing things on your own.
This was first published in February 2006